KMSAN: uninit-value in __fl

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KMSAN: uninit-value in __fl_lookup net	7				2	121d	121d	0/29	closed as invalid on 2026/02/18 04:33

Created	Duration	User	Patch	Repo	Result
2026/03/10 07:43	1h48m	retest repro		upstream	report log

=====================================================
BUG: KMSAN: uninit-value in __rht_ptr_rcu include/linux/rhashtable.h:394 [inline]
BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:637 [inline]
BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:677 [inline]
BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:715 [inline]
BUG: KMSAN: uninit-value in __fl_lookup+0x6ce/0x940 net/sched/cls_flower.c:273
 __rht_ptr_rcu include/linux/rhashtable.h:394 [inline]
 __rhashtable_lookup include/linux/rhashtable.h:637 [inline]
 rhashtable_lookup include/linux/rhashtable.h:677 [inline]
 rhashtable_lookup_fast include/linux/rhashtable.h:715 [inline]
 __fl_lookup+0x6ce/0x940 net/sched/cls_flower.c:273
 fl_mask_lookup+0x305/0xd60 net/sched/cls_flower.c:306
 fl_classify+0x36b/0x780 net/sched/cls_flower.c:353
 tc_classify include/net/tc_wrapper.h:197 [inline]
 __tcf_classify net/sched/cls_api.c:1764 [inline]
 tcf_classify+0x855/0x1ca0 net/sched/cls_api.c:1860
 multiq_classify net/sched/sch_multiq.c:39 [inline]
 multiq_enqueue+0x82/0x5a0 net/sched/sch_multiq.c:66
 dev_qdisc_enqueue net/core/dev.c:4151 [inline]
 __dev_xmit_skb net/core/dev.c:4266 [inline]
 __dev_queue_xmit+0x257f/0x5a50 net/core/dev.c:4802
 dev_queue_xmit include/linux/netdevice.h:3384 [inline]
 packet_xmit+0x8f/0x710 net/packet/af_packet.c:275
 packet_snd net/packet/af_packet.c:3077 [inline]
 packet_sendmsg+0x91d9/0xa320 net/packet/af_packet.c:3109
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 ____sys_sendmsg+0xfe7/0x1080 net/socket.c:2592
 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2681
 x64_sys_call+0x1e20/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 fl_set_masked_key net/sched/cls_flower.c:198 [inline]
 fl_mask_lookup+0x254/0xd60 net/sched/cls_flower.c:302
 fl_classify+0x36b/0x780 net/sched/cls_flower.c:353
 tc_classify include/net/tc_wrapper.h:197 [inline]
 __tcf_classify net/sched/cls_api.c:1764 [inline]
 tcf_classify+0x855/0x1ca0 net/sched/cls_api.c:1860
 multiq_classify net/sched/sch_multiq.c:39 [inline]
 multiq_enqueue+0x82/0x5a0 net/sched/sch_multiq.c:66
 dev_qdisc_enqueue net/core/dev.c:4151 [inline]
 __dev_xmit_skb net/core/dev.c:4266 [inline]
 __dev_queue_xmit+0x257f/0x5a50 net/core/dev.c:4802
 dev_queue_xmit include/linux/netdevice.h:3384 [inline]
 packet_xmit+0x8f/0x710 net/packet/af_packet.c:275
 packet_snd net/packet/af_packet.c:3077 [inline]
 packet_sendmsg+0x91d9/0xa320 net/packet/af_packet.c:3109
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 ____sys_sendmsg+0xfe7/0x1080 net/socket.c:2592
 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2681
 x64_sys_call+0x1e20/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 __skb_flow_dissect+0xfe4/0xa1f0 net/core/flow_dissector.c:1182
 skb_flow_dissect include/linux/skbuff.h:1603 [inline]
 fl_classify+0x349/0x780 net/sched/cls_flower.c:350
 tc_classify include/net/tc_wrapper.h:197 [inline]
 __tcf_classify net/sched/cls_api.c:1764 [inline]
 tcf_classify+0x855/0x1ca0 net/sched/cls_api.c:1860
 multiq_classify net/sched/sch_multiq.c:39 [inline]
 multiq_enqueue+0x82/0x5a0 net/sched/sch_multiq.c:66
 dev_qdisc_enqueue net/core/dev.c:4151 [inline]
 __dev_xmit_skb net/core/dev.c:4266 [inline]
 __dev_queue_xmit+0x257f/0x5a50 net/core/dev.c:4802
 dev_queue_xmit include/linux/netdevice.h:3384 [inline]
 packet_xmit+0x8f/0x710 net/packet/af_packet.c:275
 packet_snd net/packet/af_packet.c:3077 [inline]
 packet_sendmsg+0x91d9/0xa320 net/packet/af_packet.c:3109
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 ____sys_sendmsg+0xfe7/0x1080 net/socket.c:2592
 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2681
 x64_sys_call+0x1e20/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4508 [inline]
 slab_alloc_node mm/slub.c:4830 [inline]
 kmem_cache_alloc_node_noprof+0x3cd/0x12d0 mm/slub.c:4882
 kmalloc_reserve net/core/skbuff.c:613 [inline]
 __alloc_skb+0x855/0x1190 net/core/skbuff.c:713
 alloc_skb include/linux/skbuff.h:1383 [inline]
 alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6750
 sock_alloc_send_pskb+0xacb/0xc60 net/core/sock.c:2995
 packet_alloc_skb net/packet/af_packet.c:2927 [inline]
 packet_snd net/packet/af_packet.c:3020 [inline]
 packet_sendmsg+0x7477/0xa320 net/packet/af_packet.c:3109
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 ____sys_sendmsg+0xfe7/0x1080 net/socket.c:2592
 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2681
 x64_sys_call+0x1e20/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5984 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
=====================================================

Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2026/02/22 08:52	upstream	3544d5ce36f4	6e7b5511	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci-upstream-kmsan-gce-root	KMSAN: uninit-value in __fl_lookup
2026/03/26 12:11	upstream	d2a43e7f89da	c6143aac	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kmsan-gce-root	KMSAN: uninit-value in __fl_lookup
2026/03/26 12:10	upstream	d2a43e7f89da	c6143aac	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kmsan-gce-root	KMSAN: uninit-value in __fl_lookup
2026/02/24 07:42	upstream	7dff99b35460	41d2fa6a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kmsan-gce-root	KMSAN: uninit-value in __fl_lookup
2026/02/20 10:46	upstream	8bf22c33e7a1	17d780d6	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kmsan-gce-root	KMSAN: uninit-value in __fl_lookup
2026/02/19 22:52	upstream	2b7a25df823d	73a252ac	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kmsan-gce-386-root	KMSAN: uninit-value in __fl_lookup